There is an assert at ImageCG.cpp:166 which is wrong and causes the assert to be hit unnecessarily. Unzip the attached file and open the index.html file. Then reload over and over again pretty quickly. Sometimes on my machine it can take 60 reloads to hit the bug. But it will eventually happen. The problem is that the CGImageCreateWithImageInRect() function calls CGRectIntegral() to modify the srcRect before creating the image. Then the ASSERT calls CGImageGetHeight() to get the integral height of the image, but subtracts srcRect.y() from currHeight (which is also an integral height) to do the comparison. But srcRect.y() is not an integral position, so the test fails. Changing the test to: ASSERT(CGImageGetHeight(image) == currHeight - CGRectIntegral(srcRect).origin.y); converts srcRect.y() into an integral value and causes the test to succeed. The attached patch does this.
We are trimming down the test case now, will post soon
Created attachment 23352 [details] Patch to fix bug
Created attachment 23354 [details] Testcase
Comment on attachment 23352 [details] Patch to fix bug r=me if you also change currHeight - srcRect.y() to CGImageGetHeight(image) on the next line
Committed r36446 M WebCore/platform/graphics/cg/ImageCG.cpp M WebCore/ChangeLog r36446 = da60464c4f95326036ace5eafb4dd562990c80c2 (trunk)